Jumpy Mocha Flamingo
Medium
Inadequate checks to confirm the correct status of the sequecncerUptimeFeed in DebitaChainlink.checkSequencer() contract will cause checkSequencer() to not revert even when the sequecncerUptimeFeed is not updated or is called in an invalid round.
https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/oracles/DebitaChainlink.sol#L50
The chainlink docs say that sequencerUptimeFeed can return a 0 value for startedAt if it is called during an "invalid round"
Please note that an "invalid round" is described to mean there was a problem updating the sequencer's status, possibly due to network issues or problems with data from oracles, and is shown by a startedAt time of 0 and answer is 0.
This makes the implemented check below in the DebitaChainlink.checkSequencer() to be useless if it is called in an invalid round:
uint256 timeSinceUp = block.timestamp - startedAt;
if (timeSinceUp <= GRACE_PERIOD_TIME) {
revert GracePeriodNotOver();
}
No response
No response
No response
The checkSequencer() function to not revert even when the sequecncerUptimeFeed is not updated or is called in an invalid round. Violation of invariant: In the event that the sequencer is down, no additional loans should be created immediately with Chainlink Oracles.
No response
function checkSequencer() public view returns (bool) {
(, int256 answer, uint256 startedAt, , ) = sequencerUptimeFeed
.latestRoundData();
// Answer == 0: Sequencer is up
// Answer == 1: Sequencer is down
bool isSequencerUp = answer == 0;
if (!isSequencerUp) {
revert SequencerDown();
}
console.logUint(startedAt);
+ if(startedAt == 0){
+ revert;
+ }
// Make sure the grace period has passed after the
// sequencer is back up.
uint256 timeSinceUp = block.timestamp - startedAt;
if (timeSinceUp <= GRACE_PERIOD_TIME) {
revert GracePeriodNotOver();
}
return true;
}